Re: [Plugins-writers] Unsynchronised clock detection

From: Renaud Deraison (deraison@private)
Date: Fri Sep 24 2004 - 06:00:22 PDT


On Fri, Sep 24, 2004 at 09:41:15AM +0100, Martin O'Neal wrote:
> 
> NASL script to detect if the remote host's clock is synchronised to the
> local host. Uses ICMP TIMESTAMP, HTTP date headers and NTP (there will
> be others, but this will do for a first cut).
> 
> Uses <60sec as an acceptable level of drift, which is arbitrary and the
> first thing that sprang to mind.
> 
> Relies on the unixtime() function, so needs either the 2.1 code, or 2.0
> via CVS.

This is very interesting. What do you think of the following :

- Attempt to guess time via HTTP first. Mostly because if we are
  scanning a web server, we get an instant reply and exit instead
  of sending udp/icmp packets to a likely-to-be-filtered port/protocol.

- The current code actually checks for 3 drifts : one in ICMP, one in
  NTP and one in HTTP. It's a safe bet to assume that the remote host is
  constistent with itself, and exit after the first answer we get
  (ie: if the ICMP timestamp is correct, exit right away instead of
   trying NTP and HTTP).


?


				-- Renaud
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Fri Sep 24 2004 - 06:01:40 PDT